firewall {
   family inet {
      replace:
      /*
       * $Id: ag-loopback.jcl $
       * $Date: Sat, June 14, 2014 22:09:10 PM $
       *
       * Aggregation Loopback Filters
       */
      filter loopback-control-plane {
         /* 
          * Accept from Loopback
          */
         term accept-loopback {
            from {
               source-address {
                  127.0.0.0/8;
               }
               destination-address {
                  127.0.0.0/8;
               }
            }
            then {
               accept;
            }
         }
         /* 
          * Allowed icmp types
          */
         term accept-icmp {
            from {
               protocol icmp;
               icmp-type [0 3 8 11];
               ttl 1;
            }
            then {
               accept;
            }
         }
         /* 
          * Discard other icmp types
          */
         term discard-icmp {
            from {
               protocol icmp;
            }
            then {
               discard;
            }
         }
         /* 
          * Accept from admin on all ports
          */
         term accept-admin {
            from {
               source-prefix-list {
                  admin-networks;
               }
            }
            then {
               accept;
            }
         }
         /* 
          * Accept Network protocol
          */
         term accept-network {
            from {
               protocol [ ah ospf vrrp ];
            }
            then {
               accept;
            }
         }
         /* 
          * Accept UDP traceroute
          */
         term accept-udp-traceroute {
            from {
               protocol udp;
               destination-port 33434-33534;
            }
            then {
               accept;
            }
         }
         /* 
          * Accept ICMP traceroute
          */
         term accept-icmp-traceroute {
            from {
               protocol icmp;
               icmp-type [3 11];
            }
            then {
               accept;
            }
         }
         /* 
          * Prefixlist must be updated when local ip addresses change
          */
         term discard-local-tcp {
            from {
               destination-prefix-list {
                  local-inet-addresses;
               }
               protocol tcp;
               destination-port [ 830 https ssh telnet www ];
            }
            then {
               discard;
            }
         }
         /* 
          * Prefixlist must be updated when local ip addresses change
          */
         term discard-local-udp {
            from {
               destination-prefix-list {
                  local-inet-addresses;
               }
               protocol udp;
               destination-port snmp;
               ttl-except 255;
            }
            then {
               discard;
            }
         }
         /* 
          * Accept by default
          */
         term accept-all {
            then {
               accept;
            }
         }
      }
   }
}
